How TRI Resources dodged the Heartbleed bullet

First the good news: TRI Resources servers have not been affected by the Heartbleed vulnerability

If you’d like to read more about heartbleed, I recommend checking out the complete explanation at heartbleed.com, prepared by the security firm Codenomicon. It’s more complete and authoritative than anything I could write.

Sometimes being lucky is the only thing that works

This vulnerability has been in place on the majority of linux web servers built since late 2012. It’s an obscure problem with OpenSSL, the primary security package used to control server access. It’s easy to think that when web servers get hacked, it’s because of bad practices, mistakes, etc. But this time, following best practices and doing everything “right” was no help.

How did we fare so well? Luck mostly. We launched our most recent production servers just prior to the time the vulnerable versions of OpenSSL were released, so we don’t use (and never have used) the affected versions of OpenSSL on our production servers. Upgrading that segment of our infrastructure is on our schedule for 2014 and we’re just lucky we had not gotten around to it yet.

So how big is this problem really?

An existing (but not publicly discovered) vulnerability like this is like suddenly finding out that all the houses built since 2012 can be opened with the same key. It is possible that no one ever figured this out and that no one has ever broken in. But it’s also possible that clever crooks have been sneaking in since 2012 to spy on you, steal information and identity, plant bugs and video cameras, copy your keys, etc. (Anyone smart enough to do this on the web would almost certainly be smart enough to keep their “golden goose” a secret.) The best minds seem to think the answer’s somewhere in the middle.

As a web site owner, you have to assume the worst. If there’s a possibility of compromise, it’s time to “change all the locks” so to speak, but also to fess up if it is possible your users’ data has been exposed. (I am curious to see how many companies step up and admit this clearly.)

As a person, this is one more reason to be careful about what information you are willing to provide on the web. Even trustworthy companies using the best tools, resources, and industry practices were not immune to this one, and it’s not likely to be the last.

The only sure thing may be to keep your information private to begin with. Whatever you think, but you really should change some passwords! Now.